How many API versions should I support simultaneously?

Support the current version and one previous major version. Enterprise contracts typically guarantee 18-24 months of version support. Maintaining more than two concurrent versions multiplies testing burden and bug surface. Provide automated migration tools or code generation to help customers upgrade.

Should enterprise SaaS APIs use GraphQL or REST?

REST for the public API. Enterprise integration teams expect REST — it works with every HTTP client, API gateway, and monitoring tool. GraphQL can serve as an internal API or a secondary option for partners who need flexible querying. The operational complexity of GraphQL (query cost analysis, N+1 prevention, authorization per field) is justified only when query flexibility is a core product requirement.

How do I handle API key rotation without downtime?

Support multiple active API keys per tenant. When a customer creates a new key, the old key remains valid for a configurable grace period (default 30 days). Provide a key status endpoint that shows which keys are active, deprecated, or revoked. Send webhook notifications 7 days before a deprecated key expires.

What SLA should enterprise SaaS APIs guarantee?

99.9% uptime (8.7 hours downtime/year) is the standard baseline. 99.95% is competitive. 99.99% requires multi-region active-active deployment and is only necessary for infrastructure APIs. Specify SLA per endpoint category — read endpoints can have higher SLAs than write endpoints because they are cacheable and can be served from replicas.

SaaS API Design Best Practices for Enterprise Teams

Enterprise SaaS APIs serve as integration points for Fortune 500 customers who expect contract-grade reliability, comprehensive documentation, and backwards-compatible evolution. These best practices address the specific API design challenges enterprise teams face beyond basic REST conventions.

API Versioning Strategy

URL-Based Versioning for Enterprise Stability

GET /api/v2/tenants/{tenantId}/users GET /api/v2/tenants/{tenantId}/invoices

Enterprise customers sign contracts with specific API version commitments. URL-based versioning makes version pinning explicit and auditable:

typescript

1// NestJS versioning setup

2import { VersioningType } from '@nestjs/common';

4app.enableVersioning({

5 type: VersioningType.URI,

6 defaultVersion: '2',

7 prefix: 'api/v',

8});

10@Controller({ version: '2' })

11export class UsersController {

12 @Get('users')

13 listUsers(@Query() query: ListUsersDto) { /* ... */ }

14}

16// Maintain v1 with deprecation notices

17@Controller({ version: '1' })

18@Deprecated()

19export class UsersControllerV1 {

20 @Get('users')

21 @Header('Deprecation', 'true')

22 @Header('Sunset', 'Sat, 01 Mar 2026 00:00:00 GMT')

23 listUsers(@Query() query: ListUsersV1Dto) { /* ... */ }

24}

Version Sunset Policy

Document a clear deprecation timeline:

Announcement: 12 months before sunset
Deprecation headers: 6 months before sunset (add Deprecation: true and Sunset headers)
Soft sunset: 3 months before — return 299 warnings for v1 calls
Hard sunset: Version returns 410 Gone with migration guide URL

Authentication and Authorization

API Key + OAuth2 Hybrid

Enterprise APIs typically support both patterns:

typescript

1@Injectable()

2export class AuthGuard implements CanActivate {

3 async canActivate(context: ExecutionContext): Promise<boolean> {

4 const request = context.switchToHttp().getRequest();

6 // Check API key first (machine-to-machine)

7 const apiKey = request.headers['x-api-key'];

8 if (apiKey) {

9 const tenant = await this.apiKeyService.validate(apiKey);

10 if (!tenant) throw new UnauthorizedException('Invalid API key');

11 request.tenant = tenant;

12 request.authMethod = 'api_key';

13 return true;

14 }

16 // Fall back to OAuth2 bearer token (user context)

17 const bearer = request.headers.authorization?.replace('Bearer ', '');

18 if (bearer) {

19 const token = await this.oauth2Service.validate(bearer);

20 if (!token) throw new UnauthorizedException('Invalid token');

21 request.tenant = token.tenant;

22 request.user = token.user;

23 request.authMethod = 'oauth2';

24 return true;

25 }

27 throw new UnauthorizedException('Authentication required');

28 }

29}

Scoped API Keys

Enterprise customers need granular API key permissions:

typescript

1interface ApiKeyScope {

2 resources: string[]; // ['users', 'invoices']

3 actions: string[]; // ['read', 'write']

4 ipWhitelist?: string[]; // ['10.0.0.0/24']

5 rateLimit?: number; // requests per minute

6 expiresAt?: Date;

Pagination

Cursor-Based Pagination for Large Datasets

Enterprise tenants often have millions of records. Cursor-based pagination scales where offset-based fails:

typescript

1interface PaginatedResponse<T> {

2 data: T[];

3 pagination: {

4 nextCursor: string | null;

5 previousCursor: string | null;

6 hasMore: boolean;

7 totalCount?: number;

8 };

11@Get('users')

12async listUsers(

13 @Query('cursor') cursor?: string,

14 @Query('limit') limit: number = 25,

15 @Query('direction') direction: 'forward' | 'backward' = 'forward',

16): Promise<PaginatedResponse<User>> {

17 const maxLimit = Math.min(limit, 100);

18 const decodedCursor = cursor ? this.decodeCursor(cursor) : null;

20 const users = await this.userService.list({

21 cursor: decodedCursor,

22 limit: maxLimit + 1, // Fetch one extra to determine hasMore

23 direction,

24 });

26 const hasMore = users.length > maxLimit;

27 const data = hasMore ? users.slice(0, maxLimit) : users;

29 return {

30 data,

31 pagination: {

32 nextCursor: hasMore ? this.encodeCursor(data[data.length - 1]) : null,

33 previousCursor: decodedCursor ? this.encodeCursor(data[0]) : null,

34 hasMore,

35 },

36 };

37}

Rate Limiting

Tiered Rate Limits by Plan

typescript

1const RATE_LIMITS: Record<string, RateConfig> = {

2 starter: { requestsPerMinute: 60, burstLimit: 10, dailyLimit: 10_000 },

3 professional: { requestsPerMinute: 600, burstLimit: 50, dailyLimit: 100_000 },

4 enterprise: { requestsPerMinute: 6_000, burstLimit: 200, dailyLimit: 1_000_000 },

5};

7@Injectable()

8export class RateLimitGuard implements CanActivate {

9 async canActivate(context: ExecutionContext): Promise<boolean> {

10 const request = context.switchToHttp().getRequest();

11 const tenant = request.tenant;

12 const config = RATE_LIMITS[tenant.plan];

13 const key = `rl:${tenant.id}:${this.getWindow()}`;

15 const current = await this.redis.incr(key);

16 if (current === 1) await this.redis.expire(key, 60);

18 const response = context.switchToHttp().getResponse();

19 response.setHeader('X-RateLimit-Limit', config.requestsPerMinute);

20 response.setHeader('X-RateLimit-Remaining', Math.max(0, config.requestsPerMinute - current));

22 if (current > config.requestsPerMinute) {

23 response.setHeader('Retry-After', '60');

24 throw new HttpException('Rate limit exceeded', 429);

25 }

27 return true;

28 }

29}

Error Responses

RFC 7807 Problem Details

typescript

1interface ProblemDetails {

2 type: string;

3 title: string;

4 status: number;

5 detail: string;

6 instance: string;

7 errors?: Array<{ field: string; message: string; code: string }>;

8 traceId: string;

11@Catch()

12export class GlobalExceptionFilter implements ExceptionFilter {

13 catch(exception: unknown, host: ArgumentsHost) {

14 const ctx = host.switchToHttp();

15 const response = ctx.getResponse();

16 const request = ctx.getRequest();

18 const problem: ProblemDetails = {

19 type: 'https://api.example.com/errors/validation',

20 title: 'Validation Error',

21 status: 400,

22 detail: 'One or more fields failed validation',

23 instance: request.url,

24 traceId: request.headers['x-request-id'] ?? crypto.randomUUID(),

25 };

27 response.status(problem.status).json(problem);

28 }

29}

Need a second opinion on your saas engineering architecture?

I run free 30-minute strategy calls for engineering teams tackling this exact problem.

Book a Free Call

Webhook Design

Reliable Webhook Delivery

typescript

1interface WebhookEvent {

2 id: string;

3 type: string;

4 createdAt: string;

5 data: Record<string, unknown>;

6 apiVersion: string;

9class WebhookService {

10 async deliver(event: WebhookEvent, endpoint: WebhookEndpoint): Promise<void> {

11 const payload = JSON.stringify(event);

12 const signature = this.sign(payload, endpoint.secret);

14 const response = await fetch(endpoint.url, {

15 method: 'POST',

16 headers: {

17 'Content-Type': 'application/json',

18 'X-Webhook-Signature': signature,

19 'X-Webhook-Id': event.id,

20 'X-Webhook-Timestamp': event.createdAt,

21 },

22 body: payload,

23 signal: AbortSignal.timeout(30000),

24 });

26 if (!response.ok) {

27 await this.scheduleRetry(event, endpoint, response.status);

28 }

29 }

31 private sign(payload: string, secret: string): string {

32 return createHmac('sha256', secret).update(payload).digest('hex');

33 }

34}

Idempotency

Idempotency Keys for Mutation Endpoints

typescript

1@Post('invoices')

2async createInvoice(

3 @Headers('Idempotency-Key') idempotencyKey: string,

4 @Body() dto: CreateInvoiceDto,

5): Promise<Invoice> {

6 if (!idempotencyKey) {

7 throw new BadRequestException('Idempotency-Key header required for POST requests');

8 }

10 const existing = await this.idempotencyService.get(idempotencyKey);

11 if (existing) {

12 return existing.response;

13 }

15 const invoice = await this.invoiceService.create(dto);

16 await this.idempotencyService.store(idempotencyKey, invoice, 86400);

17 return invoice;

18}

Checklist

Anti-Patterns to Avoid

Breaking changes in minor versions: Enterprise customers integrate your API into automated workflows. Any breaking change — even adding a required field — must be in a new major version.

Inconsistent naming conventions: Pick snake_case or camelCase and use it everywhere. Enterprise API consumers code-generate clients from your OpenAPI spec; inconsistent naming creates broken generated code.

Returning unbounded responses: Every list endpoint must be paginated. An enterprise tenant with 2 million users can bring down your API server with a single unparameterized GET request.

Conclusion

Enterprise SaaS API design is a contract between your platform and your customers' engineering teams. Every design decision — versioning strategy, authentication model, pagination approach, error format — becomes a commitment that enterprise customers build their systems around. Design for stability, document exhaustively, and evolve the API through additive changes rather than breaking modifications.

The best enterprise APIs are boring by design. They follow established conventions (REST, RFC 7807, cursor pagination, HMAC webhooks), provide comprehensive SDKs, and change infrequently. Innovation belongs in your product features, not in your API surface.

FAQ

Need expert help?

Building with saas engineering?

I help teams ship production-grade systems. From architecture review to hands-on builds.

Book a Free Call Send a Brief

api-design rest graphql saas enterprise best-practices

Muneer Puthiya Purayil

SaaS Architect & AI Systems Engineer. 10+ years shipping production infrastructure across fintech, automotive, e-commerce, and healthcare.

View Portfolio Book a Call

← Previous

API Versioning Strategy

URL-Based Versioning for Enterprise Stability

Version Sunset Policy

Authentication and Authorization

API Key + OAuth2 Hybrid

Scoped API Keys

Pagination

Cursor-Based Pagination for Large Datasets

Rate Limiting

Tiered Rate Limits by Plan

Error Responses

RFC 7807 Problem Details

Webhook Design

Reliable Webhook Delivery

Idempotency

Idempotency Keys for Mutation Endpoints

Checklist

Anti-Patterns to Avoid

Conclusion

FAQ

Building with saas engineering?

SaaS API Design Best Practices for High Scale Teams

SaaS API Design Best Practices for Startup Teams

How to Build SaaS API Design Using Spring Boot

SaaS API Design Best Practices for High Scale Teams

SaaS API Design Best Practices for Startup Teams

Start aConversation.

Start a
Conversation.